Epic Goal

There is a known design limitation in k8s where files within a PV need to relabeled during the attachment process. Depending on the number of files and backend performance/load this can lead to timeout and pod creation failure or even worst with nodes moving to NotReady as the container runtime is unresponsive.

~~STOR-966~~ aims to bring a native long term solution upstream but it will take several cycles to reach GA upstream and downstream OCP support.

In the meantime we offer two workarounds described in this KCS, unfortunately customers are reluctant to use them as it requires the pods definitions to include additional parameters and there is no guarantees that OCP project users will use them leaving the environment open to this issue.

The goal of this epic is to implement functionality to automate the suggested workaround so that users don't have to specify the spc_t seLinuxOptions or TrySkipVolumeSELinuxLabel annotation.

Why is this important?

We are facing more and more escalation from customers hitting this issue and the workarounds are not adopted due to the lack of automation (needs to manually change the pod definition).

Scenarios

Provide details for user scenarios including actions to be performed, platform specifications, and user personas.

Find automation for the spc_t workaround to that users don't have to add it to their pod definition
Find automation for the TrySkipVolumeSELinuxLabel workaround to that users don't have to add it to their pod definition

Acceptance Criteria

CI - MUST be running successfully with tests automated
Release Technical Enablement - Provide necessary release enablement details and documents.

Proposal

The proposal is at https://hackmd.io/4HsVTfTjTZ-pO23r7e_7SQ?view

Acceptance Criteria

Open questions::

Are users okay with a marking namespaces/projects within which the pods are injected with the workaround?
Is there a preference between the two workarounds?
Migration once this is fixed upstream.

Done Checklist

CI - CI is running, tests are automated and merged.
Release Enablement <link to Feature Enablement Presentation>
DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
DEV - Downstream build attached to advisory: <link to errata>
QE - Test plans in Polarion: <link or reference to Polarion>
QE - Automated tests merged: <link or reference to automated tests>
DOC - Downstream documentation merged: <link to meaningful PR>

Attachments

Issue Links

is related to

RFE-3327 Implement Selinux context mounts

Accepted

relates to

OCPSTRAT-120 Implement RWOP SELinux context mounts (TechPreview)

Closed

Activity

People

Assignee:: Gaurav Singh

Reporter:: Mrunal Patel

Contributors:: Jan Safranek, Ryan Phillips

QA Contact:: Aruna Naik

Doc Contact:: Matthew Werner

Architect:: Mrunal Patel

Product Experience Engineering Contact:: Derrick Ornelas

Votes:: 2 Vote for this issue

Watchers:: 25 Start watching this issue

Dates

Created:: 2022/11/04 7:52 PM

Updated:: 2023/11/28 11:14 AM

Resolved:: 2023/04/12 2:04 PM